feat(deps): registry resolver — PB1–PB5 + docs#1361
Closed
nadav-y wants to merge 1 commit into
Closed
Conversation
nadav-y
requested review from
danielmeppiel and
sergio-sisternes-epam
as code owners
nadav-y
force-pushed
the
claude/beautiful-moore-37041b
branch
from
24e4d4b to
68310f3
Compare
Implements PB1–PB5 from the post-commit design review of the registry
resolver prototype. No behaviour change for existing git-based projects.
### What changed
**PB1 — Object form only in v1**
- Remove `owner/repo@<name>#<ref>` named-scope shorthand — `@` collides
with SSH `git@host` and marketplace shorthand.
- Keep `registries.default:` routing: string shorthand with a *semver*
ref auto-routes to the default registry. Non-semver refs (branches,
SHAs) always stay on the Git resolver.
- `registry:` key is optional in object form; when omitted, the entry
routes through `registries.default`.
**PB2 — Flag rename**
- Experimental flag renamed `package_registry` → `registries`.
- Enable: `apm experimental enable registries`.
**PB3 — Registry config in `~/.apm/config.json`**
- `apm config set registry.<name>.url <url>` / `registry.<name>.token <token>`
write to `config.json`.
- Token precedence: env var (`APM_REGISTRY_TOKEN_<NAME>`) > config.json.
- Hard-fail if `token:` appears in any repo-tracked YAML.
**PB4 — Registries as a governance primitive**
- New `registry_source:` block in `apm-policy.yml`:
- `require: [<names>]` — listed registries must be reachable; fail-
closed if a named registry has no URL in the project's `registries:`
block.
- `allow_non_registry: false` — blocks any dep not routed through a
configured registry, applied transitively.
**PB5 — SPI / Artifactory rename deferred**
- `RegistryClient` left as-is; SPI abstraction is a follow-up PR.
### Documentation
- New `guides/private-registries.md` end-to-end guide.
- Updated `guides/registries.md` with correct semver-only routing rules,
user-level config, and policy governance sections.
- Updated `reference/manifest-schema.md`, `reference/policy-schema.md`,
`reference/cli/config.md`, `reference/cli/install.md`,
`consumer/manage-dependencies.md`, `enterprise/security.md`.
- Flag rename propagated across all docs that referenced `package-registry`.
- Fixed docs bug: three pages incorrectly listed non-semver refs as valid
registry selectors; corrected to semver-only.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
nadav-y
force-pushed
the
claude/beautiful-moore-37041b
branch
from
68310f3 to
5f785b7
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
-- will reopen under the right branch